On 18/05/2017 09:54, Huang, Kai wrote: >> >> I would start with read-only LE hash (same as the host), which is a >> valid configuration anyway. Then later we can trap EINIT to emulate >> IA32_SGXLEPUBKEYHASHn. > > You mean we can start with creating guest without Qemu 'lewr' parameter > support, and always disallowing guest to change IA32_SGXLEPUBKEYHASHn? > Even in this way, KVM still needs to emulate IA32_SGXLEPUBKEYHASHn (just > allow MSR reading but not writing), and write guest's value to physical > MSRs when running guest (trapping EINIT and write MSRs during EINIT is > really just performance optimization). Because host can run multiple LEs > and change MSRs. Oh, I didn't know this. So I guess there isn't much benefit in skipping the trapping of EINIT. Paolo > Your suggestion only works when runtime change to > IA32_SGXLEPUBKEYHASHn is disabled on host (meaning physical machine).
